b'           NATIONAL AERONAUTICS AND SPACE ADMINISTRATION\n                             OFFICE OF INSPECTOR GENERAL\n\n\n\n\nBO JIANG\xe2\x80\x99S ACCESS TO NASA\xe2\x80\x99S\n LANGLEY RESEARCH CENTER\n\n\n\n\n                                  INVESTIGATIVE SUMMARY\n\n\n\n\n                                       OCTOBER 22, 2013\n\x0c       I.    INTRODUCTION1\n\nOn March 16, 2013, agents from the Department of Homeland Security conducted a\nborder search of former NASA contractor Bo Jiang at Dulles International Airport as part\nof an investigation of potential export control violations. Jiang, a citizen of the People\xe2\x80\x9fs\nRepublic of China, was preparing to fly home to China. After questioning him about\nwhat electronic media he had in his possession and searching his belongings, agents took\nJiang into custody and charged him with making a false statement to Federal authorities.2\n\nSix weeks later, Jiang pleaded guilty in Federal court to a misdemeanor offense of\nviolating Agency security rules by using a NASA laptop to download copyrighted\nmovies, television shows, and sexually explicit material.3 In the court proceeding, Jiang\ndid not admit to lying to Federal agents or possessing sensitive NASA information.\nFederal prosecutors and Jiang stipulated in a court filing accompanying the plea that\n\xe2\x80\x9cnone of the computer media that Jiang attempted to bring to [China] on March 16, 2013,\ncontained classified information, export-controlled information, or NASA proprietary\ninformation.\xe2\x80\x9d4\n\nHowever, in an interview with Department of Justice officials after the court proceeding,\nJiang admitted that the laptop computer he carried with him when he attempted to leave\nthe United States in March contained some NASA information. According to these\nofficials, the nature of the information on Jiang\xe2\x80\x9fs computer and how he obtained it\nremains under investigation.\n\nAt the time of his arrest, Jiang had lived in the United States since 2007, first as a Ph.D.\nstudent and then as a postdoctoral research assistant for the National Institute of\nAerospace (NIA), a non-profit research and graduate education organization located in\nHampton, Virginia. In 2002, NASA\xe2\x80\x9fs Langley Research Center (Langley) and the NIA\n\n1\n We provided a full report of our findings to the NASA Administrator and the Langley Center Director.\nBecause the full report contains information protected by the Privacy Act of 1974, as amended, 5 U.S.C.\n\xc2\xa7 552a, we prepared a summary for public release.\n2\n  The charge, 18 U.S.C. \xc2\xa7 1001, is a felony offense that carries a maximum prison sentence of 5 years.\nAccording to the affidavit signed by a Federal Bureau of Investigation agent in support of Jiang\xe2\x80\x9fs arrest\nwarrant: \xe2\x80\x9cDuring the consensual encounter, federal agents asked JIANG what electronic media he had with\nhim. JIANG told the Homeland Security Agent that he had a cellphone, a memory stick, an external hard\ndrive and a new computer. However, during the search, other media items were located that JIANG did not\nreveal. Such items include an additional laptop, an old hard drive and a SIM card.\xe2\x80\x9d\n3\n  Any willful violation, attempt at a violation, or a conspiracy to violate any NASA regulation or order\ncreated for the protection or security of a NASA facility or property (e.g., NASA-owned computer\nequipment) can be prosecuted as a misdemeanor under 18 U.S.C. \xc2\xa7 799. Conviction under this section can\nresult in a maximum prison sentence of one year. Jiang violated NASA Policy Directive 2540.1, Personal\nUse of Government Office Equipment Including Information Technology, by downloading these materials.\n4\n  U.S. v. Jiang, Statement of Facts, U.S. District Court for the Eastern District of Virginia, Newport News\nDivision (May 2, 2013). Export-controlled information refers to certain materials, devices, or information\nrestricted by Federal laws and regulations from flowing outside the United States or being shared with\nforeign persons.\n\n                                                     1\n\x0centered into a cooperative agreement pursuant to which Langley frequently hired NIA\npersonnel as contractors to work on NASA research projects. Prior to his arrest, Jiang\nhad been working on a research project with NASA employees in Langley\xe2\x80\x9fs\nElectromagnetics and Sensors Branch.\n\nEarlier in March 2013, Congressman Frank Wolf of Virginia publicly questioned whether\nNASA had inappropriately afforded Jiang access to Langley and to Agency data and\ninformation technology (IT). The Congressman\xe2\x80\x9fs concerns were prompted at least in part\nby internal NASA documents suggesting it had been improper for Langley to hire Jiang\nas a contractor, to allow him unescorted access to the Center, and to provide him with\ndata related to his research. As discussed below, in a number of respects these\ndocuments contained incorrect information that led to confusion about the propriety of\nJiang\xe2\x80\x9fs access to and work at Langley.\n\nThe Office of Inspector General (OIG) conducted an administrative investigation to\nexamine the process by which Jiang came to work at Langley and the information and IT\nresources to which he was given access.\n\n\n     II.   BACKGROUND\n\nJiang came to the United States in 2007 and earned a Ph.D. in Electrical and Computer\nEngineering from Old Dominion University in Norfolk, Virginia in the summer of 2010.\nAt Old Dominion, Jiang studied with Professor Zia-ur Rahman, who for many years,\ncollaborated with employees in Langley\xe2\x80\x9fs Electromagnetics and Sensors Branch (the\nBranch) to develop technology that would allow for real-time video image enhancement\nto improve aircraft safety by making it easier for pilots to fly in poor visibility conditions.\nIn June 2010, Rahman left Old Dominion to become a civil servant in the\nElectromagnetics and Sensors Branch. Rahman helped Jiang get hired at NIA and under\ncontract with NASA. However before Jiang began working at Langley, Rahman was\nkilled in an automobile accident on December 16, 2010.\n\nBecause of Jiang\xe2\x80\x9fs close working relationship with Rahman, Rahman\xe2\x80\x9fs co-workers in the\nBranch decided to move forward with hiring Jiang (whom they had met only once).\nJiang began working at Langley in January 2011. Early on in his work, Jiang was given\naccess to select computer files Rahman\xe2\x80\x9fs co-workers had taken from his hard drive after\nhis death. Several months later, Jiang copied material from Rahman\xe2\x80\x9fs hard drive onto a\nlaptop that Branch employees purchased for Jiang through a NASA contract. Although\nthe employees were coordinating with Langley security and export control staff\nconcerning Jiang\xe2\x80\x9fs work for the Center, they did not consult with these individuals before\ngiving Jiang access to the information on Rahman\xe2\x80\x9fs hard drive or inform them that they\nhad done so.\n\n\n\n\n                                               2\n\x0c         A. Policy and Procedures Regarding Access by Foreign Nationals to NASA\n            Facilities, Information, and IT Resources\n\nA complex series of rules, regulations, and processes govern access by foreign nationals\nto NASA facilities, information, and IT resources. In part, these rules seek to ensure that\nforeign nationals are not inappropriately granted access to controlled or sensitive\ninformation, including information that under U.S. law may not be transferred to foreign\nentities or persons without a license. This type of material is generally referred to as\n\xe2\x80\x9cexport-controlled\xe2\x80\x9d information.5\n\nPursuant to NASA regulations, no contractor may be given access to a NASA Center,\nfacility, or IT system until completion of a National Agency Check (NAC), submission of\nthe paperwork necessary to complete the inquiries portion of the National Agency Check\nwith Inquiries (NACI), and a favorable interim access determination by NASA security\npersonnel.6 At NASA, foreign nationals must be escorted at all times while on NASA\nproperty pending completion of the NACI and a favorable determination by NASA\nsecurity officials. Finally, Agency policy requires preparation of a Technology Transfer\nControl Plan to outline the foreign national\xe2\x80\x9fs approved access to NASA facilities and\ninformation. At Langley, this plan is referred to as a Security Technology Transfer\nControl Plan (STTCP or Plan).\n\nThe STTCP sets the general parameters of a foreign national\xe2\x80\x9fs access to a NASA facility\nand to NASA IT resources and information. As part of the Plan, a NASA employee is\ndesignated as the host or sponsor of the foreign national and charged with taking \xe2\x80\x9call\nreasonable measures to prevent the disclosure of inappropriate information to foreign\npersons.\xe2\x80\x9d Specifically, unless the foreign national has received an export license, the\nPlan allows sponsors to share only information that \xe2\x80\x9cis unclassified, non-sensitive, [or]\nnon-export controlled\xe2\x80\x9d or that has \xe2\x80\x9cbeen approved for release to the general public.\xe2\x80\x9d\nWith regard to export-controlled information, NASA policy advises employees to\n\xe2\x80\x9c[c]onsult with the Center Export Administrator, Center Export Counsel, Headquarters\nExport Administrator or Headquarters Export Counsel for guidance.\xe2\x80\x9d7 In addition,\n\n5\n The specific hardware and technical data subject to these rules are listed on the State Department\xe2\x80\x9fs U.S.\nMunitions List\n(http://www.pmddtc.state.gov/regulations_laws/documents/consolidated_itar/ITAR_Part121.pdf) and the\nCommerce Department\xe2\x80\x9fs Commerce Control List\n(http://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl).\n6\n  The NAC consists of a review of four Government databases for information concerning the contractor.\nThe NACI gathers additional information about the individual from former employers, educational\ninstitutions, and other entities with which the individual has had contact.\n7\n  NASA Procedural Requirement 2190.1, NASA Export Control Program. This NPR provides guidance for\nNASA employees and contractors engaged in the transfer of information and technology to foreign\nindividuals and organizations. It defines an export as the \xe2\x80\x9ctransfer of anything to a \xe2\x80\x9eForeign Person\xe2\x80\x9f or\nforeign destination.\xe2\x80\x9d In addition, if an employee is in doubt about a particular transfer or export, they\nshould refrain from the transaction, provide all relevant information to the Headquarters or Center Export\nControl Administrator, and await their determination.\n\n\n                                                     3\n\x0csponsors are to brief foreign nationals on the contents of the STTCP and ensure that co-\nworkers in the area in which the foreign national will work are aware of his or her status\nand the restrictions on the foreign national\xe2\x80\x9fs access to certain information. STTCPs are\nreviewed and approved by personnel in several Center offices.\n\nApart from the STTCP, all requests for foreign national access at NASA are processed\nthrough an electronic database known as the Identity Management & Account Exchange\n(IdMAX) system. The system is designed to contain all information needed to review\nand approve a foreign national\xe2\x80\x9fs access request, including the STTCP, which can but is\nnot required to be uploaded into the system. Each NASA Center has some ability to\ntailor IdMAX to fit its particular processes. The process described below reflects how\nIdMAX operated at Langley during the time period Jiang had access to the Center.\n\nGenerally, the process begins with submission of a visit request, which in Jiang\xe2\x80\x9fs case\nwas generated by an NIA administrative assistant. The requestor enters basic personal\ninformation about the foreign national into the system (e.g., name, date of birth,\neducational background) and designates a NASA employee as the \xe2\x80\x9csponsor\xe2\x80\x9d of the\nrequest.8 For foreign national contractor employees, a technical representative serves as\nthe IdMAX sponsor.\n\nThe technical representative confirms that the foreign nation has a relationship with\nNASA through a contract, grant, or other agreement. Once approved by the sponsor, the\nrequest is routed to and reviewed by employees in Langley\xe2\x80\x9fs Office of Security Services,\nincluding employees with responsibility for export control matters.\n\nCenter security personnel review the request to ensure that the foreign national has a\nvalid visa, has been vetted against specified Government databases, and that a STTCP\nhas been developed. In addition, they enter the foreign national\xe2\x80\x9fs name into several\nGovernment databases to determine if he or she is affiliated with a denied party or entity,\non the terrorist watch list, or from a country under U.S. sanctions or embargo. Once\nthese checks are complete, the request is forwarded to export control staff for review. If\nthe foreign national is from certain \xe2\x80\x9cdesignated countries\xe2\x80\x9d (including China), this review\ninvolves both Center and Headquarters personnel.\n\nAt Headquarters, the request is reviewed to ensure that it is consistent with applicable\nU.S. foreign policy, agreements, and laws related to the country and re-checked for any\nderogatory information in Government databases. In addition, export control personnel\nindicate in the IdMAX system the conditions or \xe2\x80\x9cprovisos\xe2\x80\x9d that will apply to the foreign\nnational\xe2\x80\x9fs visit. For example, the foreign national may be required to be escorted at all\ntimes when he or she is on Center. These provisos are selected from a pre-set list\ndeveloped by the Headquarters\xe2\x80\x9f Export Control Office that has evolved over time.\n\nFollowing Headquarters review, the request is routed back to Center security personnel\nfor final approval. If the request is approved, IdMAX sends the sponsor and the\n\n8\n The term \xe2\x80\x9csponsor\xe2\x80\x9d is used both in IdMAX and in the STTCP; however, oftentimes different individuals\nserve in these roles.\n\n                                                  4\n\x0crequestor an electronic message notifying them of the approval. This message also\ncontains information about the provisos export control and security personnel have\nplaced on the foreign national\xe2\x80\x9fs visit. It is important to note that this message is not sent\nto the individual named in the STTCP as the foreign national\xe2\x80\x9fs sponsor.\n\n        B. Funding Restriction Relating to China\n\nThe legislation funding NASA for fiscal years 2011 and 2012 contained language\nprohibiting the Agency from spending appropriated funds \xe2\x80\x9cto develop, design, plan,\npromulgate, implement, or execute a bilateral policy, program, or contract of any kind to\nparticipate, collaborate, or coordinate bilaterally in any way with China or any Chinese\nowned-company\xe2\x80\x9d or to host official Chinese visitors at NASA facilities.9 In a March 7,\n2012, letter to Congressman Wolf, the NASA Administrator stated that pursuant to this\nprovision, \xe2\x80\x9cNASA has declined all bilateral engagement with China and Chinese-owned\ncompanies\xe2\x80\x9d and has not permitted \xe2\x80\x9cany visit to a NASA-owned or-utilized facility by any\nofficial Chinese visitors where such a visit effectuated the bilateral participation,\ncollaboration, or coordination with China or a Chinese-owned company.\xe2\x80\x9d Importantly\nfor purposes of this administrative investigation, the provision does not restrict individual\nChinese foreign nationals like Jiang from visiting NASA facilities or working as paid\nNASA contractors.\n\n\n    III.    JIANG\xe2\x80\x99S TENURE AS A NASA CONTRACTOR\n\nThe cooperative agreement between NASA and NIA required NIA to obtain a license if a\nforeign national employed by NASA under the agreement would be working with export-\ncontrolled material. To determine if a license was needed, NIA considers the type of\nwork and the information and technology to which the foreign national would have\naccess. In Jiang\xe2\x80\x9fs case, NIA determined that his work constituted \xe2\x80\x9cfundamental\nresearch\xe2\x80\x9d and therefore an export control license was not required. Fundamental research\nis basic and applied research in science and engineering, the results of which ordinarily\nare published and shared broadly within the scientific community. This determination\nwas made by a Langley contractor employee who both worked at Langley and served as\nan export consultant to NIA. Before making this determination, NIA provided the\ncontract employee a synopsis of the research Jiang would be doing, which NIA had\ncreated based on information supplied by Rahman.\n\nOn November 23, 2010, NIA submitted a foreign national visit request for Jiang to\nLangley officials. The request was made in hard copy and listed Rahman as Jiang\xe2\x80\x9fs\nsponsor and the dates of the proposed visit as November 29, 2010, through September 25,\n2012. In the \xe2\x80\x9cjustification\xe2\x80\x9d section of the document, NIA stated that Jiang had \xe2\x80\x9cexpertise\nin the area of image processing and image detection\xe2\x80\x9d and that he would work on \xe2\x80\x9creal\n\n9\n Section 1340 of the Department of Defense and Full-Year Continuing Appropriations Act of 2011. Public\nLaw 112-10 (April 15, 2011); Section 539 of the Consolidated and Further Continuing Appropriations Act\nof 2012, Public Law 112-55 (November 18, 2011).\n\n\n                                                  5\n\x0ctime video enhancement\xe2\x80\x9d and \xe2\x80\x9creal time edge detection.\xe2\x80\x9d The request included the\ndetermination that the \xe2\x80\x9cproposed work is generic and not application specific\xe2\x80\x9d and was\n\xe2\x80\x9cresulting from fundamental research.\xe2\x80\x9d The NIA request continued: \xe2\x80\x9cMany publications\nand software codes exist in this area of research and the intent is to publish the results of\nthis work.... The proposed work can be done without need for a[n export control]\nlicense.\xe2\x80\x9d This determination was later included in the IdMAX request and shared with\nLangley export control personnel.\n\nIn accordance with NASA\xe2\x80\x9fs requirements, Langley and NIA officials developed an\nSTTCP for Jiang. The Plan stated that Jiang would be \xe2\x80\x9ccollaborating with Langley\nresearchers . . . to utilize his experience in the area of image enhancement and edge\ndetection.\xe2\x80\x9d Jiang, who was out of the country at the time, did not sign the document.\nAfter Rahman\xe2\x80\x9fs death, the STTCP was resubmitted with a different Branch employee\nnamed as Jiang\xe2\x80\x9fs sponsor. This Plan was never uploaded into IdMAX and Jiang did not\nsign this version of the document either. Moreover, the employee listed in the document\nas Jiang\xe2\x80\x9fs sponsor told the OIG that he did not provide a copy of the STTCP to Jiang or\ndiscuss it with him and that he viewed the document as \xe2\x80\x9cboilerplate\xe2\x80\x9d because the work\nthat Jiang would be doing did not \xe2\x80\x9chave anything to do with security.\xe2\x80\x9d Although Jiang\nsigned a subsequent version of the STTCP, he told the FBI that no one at Langley ever\nreviewed or discussed any of the Plans with him. Jiang\xe2\x80\x9fs sponsors told us that they did\nnot provide copies of the Plans to other NASA employees in the Branch who may have\nhad contact with Jiang or brief them on the Plans\xe2\x80\x9f provisions.\n\nWhen the NIA submitted its initial visit request for Jiang in November 2010, Langley\nwas transitioning to IdMAX from a previous identity management system. Because of\nthis transition, NIA did not initiate a visit request for Jiang in IdMAX until January 2011\nwhen it was entered by an NIA administrative employee. On January 25, a Langley\ntechnical representative approved the request in IdMAX thereby confirming that Jiang\nwould be working under the agreement and that the estimated cost to NASA for his work\nover a 2-year period would be $194,854.10 The request was then automatically routed to\nLangley export control personnel, who approved it on January 31, 2011. From there, it\nwas routed to NASA Headquarters.\n\nAfter confirming that it did not conflict with U.S. foreign policy or any agreements with\nChina, an employee in the Headquarters\xe2\x80\x9f Office of International and Interagency\nRelations approved the request in IdMAX on February 1, 2011. The request was then\nrouted to the Headquarters\xe2\x80\x9f Export Control Office.\n\n\n\n\n10\n  The length of Jiang\xe2\x80\x9fs contract was later extended and this figure was adjusted to $315,193 for activity\nthrough September 2013. However, as discussed below the contract was terminated in January 2013.\n\n\n                                                     6\n\x0cFrom a list of 32, a contractor employee in the Export Control Office applied 10 provisos\nto Jiang\xe2\x80\x9fs access request:\n\n     \xef\x82\xa7 The visitor shall be escorted at all times.\n     \xef\x82\xa7 Approved access is limited to information in the public domain; no access\n       to classified, sensitive but unclassified, or export-controlled information\n       or hardware is authorized.\n     \xef\x82\xa7 The visit is authorized only so long as there is a valid visa in effect.\n     \xef\x82\xa7 Copies of the visit approval provisos/conditions are to be provided by the\n       NASA host to all NASA employees and on-site contractor employees\n       working with this foreign person.\n     \xef\x82\xa7 The visit is approved based on no cost to NASA; payment of\n       stipends/expenses against a NASA grant/contract/agreement is not\n       authorized.\n     \xef\x82\xa7 Host is to confer with Center Export Administrator to determine export\n       classification of data and hardware to be accessed prior to visit.\n     \xef\x82\xa7 A non-disclosure agreement is required for this assignment. A\n       Security/Technology Transfer Control Plan must be in place and approved\n       prior to this visit.\n     \xef\x82\xa7 Release of NASA software source code is not authorized.11\n     \xef\x82\xa7 The Program Manager shall coordinate the decision to make this project\n       fundamental research with the Center Export Administration and will\n       document the decision; a copy should be kept by the [Center Export\n       Administrator] and program manager.\n     \xef\x82\xa7 The employer, National Institute of Aerospace, is responsible for\n       compliance with U.S. export control laws and regulations and for seeking\n       an appropriate license if required; NASA host should be apprised of these\n       provisos and is responsible for informing the employer of this proviso.\n\nA supervisor in the Office reviewed and concurred with this list of provisos.\n\nWe asked the contractor employee and the supervisor why they applied the \xe2\x80\x9cno payment\xe2\x80\x9d\nproviso when it was clear that Langley was planning to hire Jiang as a contractor to\nconduct research pursuant to its agreement with the NIA. They told us that this was a\nstandard proviso that they routinely attached to all foreign national visits and that it\npredated the funding restrictions contained in the NASA appropriations legislation.\nHowever, the contract employee said she did not understand why the Export Control\nOffice included this proviso since the Office did not have authority to determine funding\nof contracts and the supervisor admitted that \xe2\x80\x9cno one really knew what [the proviso]\nmeant,\xe2\x80\x9d [b]ecause everybody\xe2\x80\x9fs paid somehow and the company\xe2\x80\x9fs getting money from\nNASA.\xe2\x80\x9d\n\n\n11\n  The supervisor told us that this provision covered computer code that would not be disseminated into the\npublic domain. As discussed above, Langley researchers anticipated publicly sharing the work Jiang was\nconducting.\n\n\n                                                    7\n\x0cWhen we pointed out to the supervisor that Langley was hiring Jiang under the NIA\ncooperative agreement, she agreed that the proviso did not appear to apply to his\ncircumstances. She also said that she considered all the provisos her office applied to\nvisit requests as advisory and that Center Security had the final authority regarding\nwhether they were applicable in a particular case.\n\nOnce the Agency Export Control Office approved Jiang\xe2\x80\x9fs request, it was sent back to\nLangley for final review and approval. On February 18, 2011, a Langley security\nemployee approved the request in IdMAX with the following conditions, \xe2\x80\x9cwith escort, no\ncomputer access.\xe2\x80\x9d12 This notation appears directly below the provisos selected by the\nHeadquarters Export Control Office in the IdMAX system.\n\nIdMAX generated an e-mail notification to the Langley technical representative and to\nNIA informing them that Jiang\xe2\x80\x9fs request had been approved and listing the conditions\nthat governed his access, including the Headquarters\xe2\x80\x9f Export Control Office\xe2\x80\x9fs provisos.\nHowever, the Langley technical representative told us that although she noted the subject\nline of the e-mail indicating the request had been approved, she did not read the contents\nof the e-mail until many months later and therefore was not aware of the provisos the\nExport Control Office had imposed. Jiang\xe2\x80\x9fs STTCP sponsor was not copied on this e-\nmail and no one informed him or anyone else in the Branch of the conditions that had\nbeen placed on Jiang\xe2\x80\x9fs visit. Moreover, although NIA located a copy of this e-mail in its\nfiles when we asked for documents in connection with this review, NIA officials told us\nthey had not seen the e-mail at the time and similarly were not aware of the provisos.\n\nOn March 18, 2011, NIA informed Jiang that his access request had been approved and\nthat his NASA visitor badge was ready for pick-up. Because at this point the NACI\ncheck on Jiang had not been completed, the badge indicated that Jiang required an escort\nwhen on Center. Jiang picked up the badge that same day. During his time as a NASA\ncontractor, we determined that Jiang predominately worked at NIA\xe2\x80\x9fs facility and visited\nLangley relatively infrequently. Specifically, Jiang told the FBI that he had been at the\nCenter no more than 30 times in the 2-year period he held a NASA badge.\n\n        A. Jiang Receives Unescorted Access to Langley\n\nPursuant to routine procedures, Langley security officials requested a NACI investigation\nof Jiang, the results of which would determine whether he would be eligible to request\naccess to NASA IT systems and be permitted at Langley without an escort. The Office of\nPersonnel Management (OPM) conducted the NACI investigation and on June 30, 2011,\nsent the results to Langley Office of Security Services. OPM\xe2\x80\x9fs report revealed no\nunfavorable information about Jiang. Accordingly, Langley security personnel contacted\nJiang\xe2\x80\x9fs STTCP sponsor to inform him of the favorable NACI and asked him to describe\nthe project on which Jiang would be working and to list Jiang\xe2\x80\x9fs technology, information,\n\n\n12\n   The term \xe2\x80\x9cno computer access\xe2\x80\x9d means that Jiang was not permitted access to internal NASA IT systems\n(i.e., systems within the NASA IT security firewall).\n\n\n                                                   8\n\x0cand \xe2\x80\x9chardware/software/data\xe2\x80\x9d requirements by completing Attachment D to the STTCP.13\nThe sponsor returned the form to Security with the following language:\n\n        Dr. Jiang will be assisting in our research for the Aviation Safety Program\n        involving real-time video image enhancement hardware processing\n        implementation and testing on a GPU [graphic processing unit] hardware\n        processor located in Room 128 B1299 and his office will be located in that same\n        Visual Information Processing Lab (Room 128). He will have access only to this\n        laboratory computer which is not connected to any network inside the NASA\n        [Langley] firewall. He will be supplying his own laptop computer/hard disk drive\n        which he will use on the guest wireless portal (outside [Langley] firewall) for e-\n        mail/internet access. He will also use this laptop for all his research computing to\n        develop new and refined methods for edge detection and the investigation of new\n        pattern recognition image processing methods.\n\nThe sponsor did not mention that Jiang had previously been given access to a copy of\nRahman\xe2\x80\x9fs hard drive.\n\nBased on the results of the NACI, on July 6, 2011, a Langley Security official authorized\nJiang to request access to NASA IT systems.14 This determination did not automatically\ngive Jiang the right to receive a NASA laptop or to access NASA IT systems. Rather, it\nmeant he was eligible to request such access. At the same time, Jiang was issued a new\nvisitor\xe2\x80\x9fs badge that permitted him unescorted access to the Center.\n\nIn August 2011, Branch personnel purchased a Dell Precision M4600 laptop for Jiang\nthrough a NASA IT contract. Prior to this date, Jiang had a NIA laptop, but that machine\nwas not powerful enough to support his programming needs and he could not use the\nBranch\xe2\x80\x9fs computer identified in Attachment D of this STTCP because the file systems in\nthe computer had been damaged. The Dell laptop was a commercial off-the-shelf product\navailable for sale at retail outlets. NIA also purchased an external hard drive for Jiang to\nback-up his research and an internal solid-state hard drive for the Dell laptop. Jiang\nreplaced the original hard drive with the commercially available hard drive to enhance\nthe computer\xe2\x80\x9fs performance for his research. No one informed Langley security or\nexport control personnel about the purchase and modification of the Dell laptop or\ncorrected the statement in the STTCP that Jiang would be using his own equipment to\nconduct his research.\n\n\n13\n   This part of the process was a relatively new responsibility for the Office of Security Services. Until\napproximately early 2011, Langley\xe2\x80\x9fs Office of Chief Information Officer (OCIO) would have played a role\nin determining which IT systems foreign nationals would be given access. However, in a streamlining\neffort the OCIO was removed from the foreign national visitor process. Langley management is now\ntaking steps to reinsert the OCIO in the process.\n14\n  NASA records indicate that Jiang was assigned a NASA e-mail account, domain user name, and domain\npassword on October 24, 2012. However, records also show that Jiang never accessed any of these\naccounts and in fact sent an e-mail stating that he preferred to operate outside the NASA firewall because\nhe was concerned that losing administrative rights to his computer would hinder his research.\n\n                                                     9\n\x0cOnce the laptop arrived at Langley, it was shipped to Jiang at NIA with a \xe2\x80\x9cNASA Form\n52 \xe2\x80\x93 Shipping/Transfer Document,\xe2\x80\x9d dated September 9, 2011. This form memorialized\nthe transfer of accountability for the laptop from NASA to NIA. Thereafter, NIA\nreported the computer to NASA as Langley property in the custody of contractors.\nAccording to the NASA\xe2\x80\x9fs Grants and Cooperative Agreements Handbook, in such cases\nownership of the computer remains with NASA but responsibility for safeguarding the\ndevice and its contents rests with the contractor.\n\nJiang used the NASA-provided laptop to access NIA e-mail and to work on his NASA-\nfunded research. We found that Jiang used this laptop to access Langley\xe2\x80\x9fs guest Wi-Fi\ninternet connection a total of 18 times beginning in September 2011 and ending in\nOctober 2012. We found no evidence that Jiang ever accessed any NASA computer\nsystem other than this guest network.\n\n       B. Jiang Travels to China\n\nIn November 2011, Jiang traveled to China to visit his family and took the Dell laptop\nwith him. One of Jiang\xe2\x80\x9fs sponsors told us that when Jiang asked him if he could take the\nlaptop to China he was unsure of the answer and therefore called a NASA industrial\nproperty management specialist and posed the question. He said the specialist told him\nthat because the laptop had been turned over to NIA, it was NIA\xe2\x80\x9fs decision whether Jiang\ncould take it to China. He said he therefore told Jiang he would have to consult with NIA\nabout taking the computer to China. We interviewed the specialist with whom the\nsponsor said he had spoken and she told us she had no recollection of discussing the\nmatter with him.\n\nWe also interviewed NIA officials. One official told us that no one at NIA was aware\nthat Jiang had taken the computer to China and that no one in the organization gave Jiang\npermission to do so. He also said that one of Jiang\xe2\x80\x9fs Langley sponsors told him that he\n(the sponsor) had given Jiang permission to take the computer to China. An e-mail we\nfound on Jiang\xe2\x80\x9fs computer corroborates this statement. In the e-mail, the sponsor\nresponds to Jiang\xe2\x80\x9fs question of whether he can travel with the computer by saying, \xe2\x80\x9cyou\ncan take it as far as I know. Just take all the normal precautions as if it were yours, of\ncourse.\xe2\x80\x9d Moreover, in response to a question supplied by the OIG, Jiang told the FBI\nbefore he left the country that his sponsor had authorized him to take the NASA-issued\nlaptop to China.\n\nWe re-interviewed the sponsor at the conclusion of our investigation to address these\ninconsistencies. He again stated that he told Jiang he did not have the authority to give\nhim permission to take the laptop to China, denied making the statement to the NIA\nofficial cited above, and could not explain why Jiang would tell the FBI that he\nauthorized him to take the laptop to China. When we showed the sponsor the e-mail\nexchange between him and Jiang about traveling with the laptop, he questioned the\naccuracy and completeness of the e-mail. He speculated it was possible that additional\ntext was left out of the e-mail, that the two men may have been discussing another device,\n\n\n\n                                            10\n\x0cor that the e-mail simply did not capture oral discussions between himself and Jiang\nabout the issue.\n\nNASA policy provides that only IT equipment approved by the NASA Chief Information\nOfficer (CIO) for use outside the United States may be taken on international travel. The\npolicy further provides that Agency laptops or personal computers should not be used for\nofficial business on international trips unless written authorization is obtained from the\nCenter CIO. The Dell computer was not approved by the NASA CIO for international\ntravel and Jiang did not request or receive approval from the Langley CIO to take the\nlaptop to China. Although Jiang\xe2\x80\x9fs STTCP specifically noted that his NASA\nidentification badge could not be carried outside the United States, it did not address\ntaking IT equipment out of the country. In addition, we found no evidence that Jiang was\notherwise informed of Agency policy prohibiting international travel with NASA IT\nequipment absent approval by the CIO.15\n\n        C. NIA Requests that Jiang\xe2\x80\x99s Access be Extended\n\nNIA requested that Jiang\xe2\x80\x9fs access privileges be extended beyond September 25, 2012, the\ndate they were set to expire. On June 22, 2012, a new STTCP was generated indicating\nthat Jiang would be using commercial off-the-shelf hardware and software for his work.\nHowever the Plan failed to specifically identify the Dell laptop or mention the\nmodification made to it. This document was uploaded into IdMAX on July 5 by NIA.\n\nNIA\xe2\x80\x9fs request to extend Jiang\xe2\x80\x9fs access prompted a new round of approval requests in the\nIdMAX system. When the request reached the Headquarters\xe2\x80\x9f Export Control Office,\npersonnel there again attached provisos to Jiang\xe2\x80\x9fs access request. They selected 6 of the\n10 provisos that had been attached to the first request, including the proviso requiring that\nJiang be escorted while on Center. They omitted the provisos requiring a valid visa,\nprohibiting release of NASA software source code, denying payment of NASA funds,\nand requiring coordination with the Center Export Administration regarding whether the\nwork qualified as fundamental research. The contract employee told us that she could not\nspecifically recall why she included these provisos the first time she reviewed Jiang\xe2\x80\x9fs\nvisit request but omitted them the second time. She speculated that she omitted the\nproviso on fundamental research because Jiang\xe2\x80\x9fs work had not changed and therefore did\nnot need to be re-evaluated. She could not explain why she did not include the proviso\nabout releasing NASA source code. With regard to the visa requirement and the \xe2\x80\x9cno\nfunds\xe2\x80\x9d proviso, she said her supervisor had previously removed these two provisos from\nthe Office\xe2\x80\x9fs master list because they were matters that should be determined by security\nand procurement rather than export control personnel.\n\nWe also asked the Headquarters personnel why they continued to impose the escort\nprovision when Jiang had received a favorable NACI review and months before had been\n\n15\n  In response to OIG questions, Jiang told the FBI that no one other than him accessed the laptop while he\nwas in China, that he did not provide Rahman\xe2\x80\x9fs data to anyone in China, and that he did not provide\nanyone in China with NASA data or information.\n\n\n                                                    11\n\x0cissued a badge that did not require escort. Both said they were not aware of this\ninformation. We note that the information about the favorable NACI and the unescorted\nbadge was in the IdMAX system, albeit not immediately viewable from the main page\nthese employees viewed to select the provisos.\n\nOn August 21, 2012, a Langley security official approved the request to extend Jiang\xe2\x80\x9fs\naccess privileges until Feburary 8, 2013, with the Headquarters\xe2\x80\x9f Export Control Office\nproviso that Jiang be escorted while on Center. We asked the official why he approved\nthe request with the escort condition given the favorable NACI and unescorted badge\nJiang had been issued months earlier. He said that he and others in Langley\xe2\x80\x9fs security\noffice viewed the Headquarters\xe2\x80\x9f provisos as boilerplate and that he had questioned the\nsame inconsistency with the escort proviso in the case of another foreign national but was\ntold by Headquarters that Center security was the final authority and that the proviso did\nnot prevent them from issuing an unescorted badge. Similar to the earlier approval\nprocess, the provisos were not shared with Jiang or his STTCP sponsors.\n\n       D. Jiang\xe2\x80\x99s Second Trip to China and the Request that Jiang Have an Office\n          on Center\n\nIn October 2012, one of Jiang\xe2\x80\x9fs sponsors decided he wanted to have Jiang work at\nLangley on a daily basis so he could observe his work firsthand and better evaluate his\ncontributions to the team. This triggered the need for a revised STTCP because Jiang\xe2\x80\x9fs\ncurrent Plan did not indicate that he would be assigned an office at Langley.\nAccordingly, NIA submitted a request for the change through IdMAX and the sponsor\nsubmitted a revised STTCP. One month later in November 2012, Jiang again traveled to\nChina, taking with him the Dell computer and the NIA external hard drive he used to\nback up his files.\n\nAs with the previous STTCPs, the revised Plan was provided to Langley export control\npersonnel for review. An export control professional who was not involved with the\nearlier requests reviewed this request, undertaking a full re-examination of Jiang\xe2\x80\x9fs access\nprivileges. She explained to OIG investigators that she took this step because she found\nissues with his access that caused her concern. For example, she noted that he was a\ngraduate of University of Electronic Science and Technology of China, which had been\nadded as \xe2\x80\x9can entity of concern\xe2\x80\x9d to the Department of Commerce\xe2\x80\x9fs Bureau of Industry and\nSecurity Entity List in September 2012.\n\nAs part of her review, the official asked for the model numbers and location of any\nNASA-owned IT devices in Jiang\xe2\x80\x9fs possession. Jiang\xe2\x80\x9fs sponsor told the export office\nabout the Dell laptop, including that it contained a copy of the information that had been\non Rahman\xe2\x80\x9fs hard drive at the time of his death and that Jiang had taken it to China.\n\nWe confirmed that the graphics processing unit in the Dell Precision M4600 laptop is\namong the items the U.S. Bureau of Industry and Security says may not be exported to\ncertain entities without a license and that the University of Electronic Science and\n\n\n\n                                            12\n\x0cTechnology is one such entity. However, China itself is not and consequently there are\nno restrictions on bringing this model of laptop into the country.\n\nThe Langley export official told us that she became quite concerned when she learned\nthat Jiang had taken the Dell laptop to China. She told us that other aspects of Jiang\xe2\x80\x9fs\nvisit also troubled her \xe2\x80\x93 most prominently that NASA was paying for Jiang\xe2\x80\x9fs research\nthrough the NIA cooperative agreement. She said that she believed that this payment\nviolated the funding restrictions in NASA\xe2\x80\x9fs appropriations legislation. She also said she\nwas troubled that Jiang\xe2\x80\x9fs sponsors had not asked for an export control review before\nproviding Jiang with access to the information on Rahman\xe2\x80\x9fs hard drive. She said she\nraised her concerns with attorneys at Langley and personnel in the Headquarters\xe2\x80\x9f Export\nControl Office and held off approving the extension of Jiang\xe2\x80\x9fs visit request based on\nthese concerns.\n\nOn December 12, 2012, an NIA Human Resources employee e-mailed Jiang and told him\nthat upon his return to the United States he should report to NIA with all Government-\nissued equipment. Jiang returned to the United States on December 18 and turned in the\nDell laptop and NIA external hard drive to NIA the next day. Langley security personnel\nretrieved the computer and hard drive from NIA on December 20 and turned them over to\nCenter computer security personnel to determine whether they contained export-\ncontrolled information.\n\nOn January 11, 2013, NIA terminated Jiang\xe2\x80\x9fs employment. An NIA Official told us that\nthe termination resulted both from Jiang\xe2\x80\x9fs violation of NIA policy by taking the laptop to\nChina and because NASA had ended the agreement under which he had been hired. That\nsame day Jiang turned in his NASA badge.\n\nLater that January, Langley IT security personnel issued a report stating that they found\n\xe2\x80\x9cno evidence\xe2\x80\x9d of export-controlled information on the Dell laptop.16 In March 2013,\nLangley\xe2\x80\x9fs Security Services Branch issued a \xe2\x80\x9cStatement of Inquiry\xe2\x80\x9d relating to the Jiang\nmatter. The report concluded that the project Jiang was working on was not fundamental\nresearch and therefore it had been improper to share information from Rahman\xe2\x80\x9fs hard\ndrive with Jiang, that the funding restrictions in NASA\xe2\x80\x9fs appropriation law prohibited the\nAgency from hiring Jiang pursuant to the NIA cooperative agreement, and that Jiang and\nhis sponsors had committed various export control violations in connection with his visit\nand work.\n\n\n\n\n16\n   According to DOJ officials, this examination did not include a visual review of all of the information on\nthe laptop but rather consisted of searches for key terms and markings that would indicate export-controlled\ninformation. In addition, these officials noted that the individual who conducted the search was not a\ntrained export control professional. Langley IT security personnel did not conduct a separate forensic\nreview of the NIA hard drive because Jiang used it as a backup and therefore it contained the same data as\nthe laptop.\n\n                                                    13\n\x0c     IV.     ANALYSIS\n\nWe found that Langley\xe2\x80\x9fs process for requesting access for foreign nationals was\nstructured pursuant to NASA regulations. However, we also found the process overly\ncomplex, required input from numerous Center and Headquarters employees, and not\nsufficiently integrated to ensure that responsible personnel had access to all relevant\ninformation. In addition, we determined that several employees who had roles in the\nscreening process made errors that contributed to the confusion about the proper scope of\nJiang\xe2\x80\x9fs access to Langley facilities and IT resources and the appropriateness of Jiang\ntaking his NASA-provided laptop to China.\n\nFirst, we were struck by the highly-bureaucratic nature of Langley\xe2\x80\x9fs process for\nreviewing foreign visit requests. Each of the many actors in the process appeared to view\ntheir role in isolation, with little consideration or understanding of the role others played\nin the process. In many instances, individuals seemed more focused on moving requests\ninto the next person\xe2\x80\x9fs in-box than ensuring that their actions made sense in the context of\nthe request they had been asked to review.\n\nFor example, a Langley employee approved one of Jiang\xe2\x80\x9fs visit requests in IdMAX on\nthe condition that he be escorted while on Center even though the employee knew that\nLangley security had issued an unescorted badge to Jiang months earlier. Furthermore,\nwhen questioned about the seeming contradiction he said he did not believe the condition\nmade sense. Similarly, another Langley employee approved one of Jiang\xe2\x80\x9fs requests with\na \xe2\x80\x9cno funding\xe2\x80\x9d proviso even though it was clear that Jiang would be working for NIA\npursuant to a funded cooperative agreement with NASA. Moreover, both individuals\ndismissed the provisos attached by the Headquarters Export Control Office to foreign\nvisit requests as \xe2\x80\x9cboilerplate.\xe2\x80\x9d17\n\nIn some instances, employees seemed to realize that they did not fully understand what\nthey were doing or why they were doing it but proceeded anyway, assuming that\nsomeone else down the road would figure it out. The starkest example of this\nphenomenon was the Headquarters export control supervisor who admitted that although\n\xe2\x80\x9cno one\xe2\x80\x9d knew what the no funding proviso meant the Office routinely attached it to all\nforeign visit requests. In the case of Jiang, having this and other incorrect provisos\nattached to his request in the IdMAX system caused confusion both inside and outside\nNASA about the appropriate boundaries of his visit.\n\nSecond, we believe that much of the confusion about the proper scope of Jiang\xe2\x80\x9fs access at\nLangley occurred either because not all the players in the process had access to all of the\nrelevant information or because individuals failed to exercise sufficient diligence in\ncompleting their duties. For example, although Jiang\xe2\x80\x9fs STTCP sponsors had the most\nday-to-day contact with him and the most information about the work he was to perform,\nthey were never informed of the provisos the Export Control Office and Langley security\n\n17\n  Several witnesses involved in the process told us the high volume of Langley foreign visitor requests\nthey received often overwhelmed them. Although this does not excuse the mistakes made, it may help\nexplain them.\n\n                                                    14\n\x0cplaced on Jiang\xe2\x80\x9fs visit, and therefore were not in a position to question whether the\nprovisos were appropriate or necessary. Although Export Control and Center security\nattached provisos through the IdMAX system and those provisos were visible on various\nIdMAX screens, there was no formal role for STTCP sponsors in the IdMAX process and\nno procedures established to ensure that IdMAX provisos were reflected in the STTCP or\notherwise conveyed to sponsors.\n\nSimilarly, NIA appeared to lack sufficient procedures to ensure that appropriate officials\nin its organization were informed of the restrictions NASA placed on Jiang\xe2\x80\x9fs access to\nthe Center. Although IdMAX automatically generated an e-mail to NIA that contained\nthe restrictions, that e-mail was received by a low-level administrative employee and no\none else at the organization was aware of this information until we requested copies of\ndocuments and e-mails as part of our investigation of this matter.\n\nWith respect to lack of due diligence, the Langley technical representative admitted that\nshe did not read the contents of the February 2011 IdMAX notification approving Jiang\xe2\x80\x9fs\naccess request until many months later. Therefore, she was not aware of the conditions\nthat had been attached to his visit and not in a position to pass that information on to\nJiang\xe2\x80\x9fs sponsors.\n\nThird, both system and individual failures contributed to Jiang inappropriately taking his\nNASA-provided laptop to China. From a system perspective, the STTCP did not\nreference NASA policy prohibiting employees and contractors from taking NASA IT\nresources outside the United States without the permission of the Center CIO, so neither\nJiang nor his sponsor could consult the document for this information when the question\narose. From an individual perspective, the preponderance of the evidence available to us\nsuggests that one of Jiang\xe2\x80\x9fs sponsors inappropriately authorized Jiang to take the laptop\nto China. Although the sponsor claims that he consulted with an industrial property\nmanagement specialist at Langley about Jiang\xe2\x80\x9fs request and, based on that conversation,\ntold Jiang to consult with NIA about taking the computer to China, the specialist recalls\nno such conversation. Moreover, other available evidence \xe2\x80\x93 including statements from\nNIA officials and an e-mail found on Jiang\xe2\x80\x9fs laptop \xe2\x80\x93 suggest that the sponsor authorized\nJiang to take the computer to China. In his two interviews with the OIG, the sponsor\nattempted to explain away evidence supporting this conclusion. However, we are not\nconvinced and conclude that the evidence suggests he gave Jiang permission to take the\ncomputer to China.\n\nFourth, we believe Jiang\xe2\x80\x9fs sponsors erred in not consulting Center export personnel\nbefore providing Jiang access to Rahman\xe2\x80\x9fs hard drive or informing export officials they\nhad done so in a timely manner. We acknowledge that both sincerely believe that the\ninformation on the hard drive is fundamental research not subject to export control\nrestrictions. Nevertheless, both admitted that they could not fully decipher Rahman\xe2\x80\x9fs file\nsystem and did not have a complete understanding of the information contained on the\nhard drive. Moreover, the process of ensuring that export control restrictions are\nfollowed requires cooperation and collaboration between researchers and export control\nprofessionals. By failing to consult with others about the hard drive, the sponsors short-\n\n\n                                            15\n\x0ccircuited this process and helped engender suspicion when Langley export control\npersonnel later learned about the information sharing. For similar reasons, they should\nhave immediately informed Langley export control and security personnel about the\npurchase of the Dell laptop for Jiang.18\n\nFinally, we do not believe that NASA violated appropriations restrictions by hiring Jiang\nas a paid contractor through the NIA cooperative agreement. While the provision\nprohibits the Agency from hosting official Chinese visitors and expending funds to\nexecute bilateral agreements with the Chinese government or Chinese companies, it does\nnot extend to work conducted by individual Chinese citizens like Jiang who are not\nofficial representatives of the Chinese government or affiliated with a Chinese company.\n\nAccordingly, we believe that concerns related to the funding restriction were unfounded.\nSimilarly, we find faulty the conclusion in the Langley Security Office\xe2\x80\x9fs Statement of\nInquiry that NIA violated the terms of Jiang\xe2\x80\x9fs STTCP and may have violated the Federal\nFalse Claims Act by \xe2\x80\x9cclaiming funds, in excess of $300,000 from NASA for Jiang\xe2\x80\x9fs visit,\nthat were not authorized under the terms of the visit.\xe2\x80\x9d Again, inclusion of this and other\ninaccurate information in the report fueled confusion both inside and outside NASA\nabout the propriety of Jiang\xe2\x80\x9fs access to Langley and to Center data and IT resources.\n\n\n      V.     CONCLUSION AND RECOMMENDATIONS\n\nIn the wake of the Jiang incident and at the request of the NASA Administrator, Langley\nmanagement has taken a number of steps to strengthen its foreign national visit process.\nThese measures include increased education and training for Langley employees, revising\nthe STTCP to include any provisos listed in the IdMAX system as well as the penalties\nfor violating the Plan, and ensuring that the Center CIO\xe2\x80\x9fs Office is involved in the\nforeign visitor request process. More broadly, in response to a suggestion from\nCongressman Wolf, NASA has contracted with the National Academy of Public\nAdministration (NAPA) to assess the effectiveness of the Agency\xe2\x80\x9fs foreign national\naccess programs and processes. NAPA is scheduled to deliver a draft of its report to\nNASA by the end of the calendar year.\n\nIn addition to these and other ongoing measures, we offer the following\nrecommendations to further improve NASA\xe2\x80\x9fs foreign visitor approval process:\n\n     1. Examine the roles of the different offices that have input into the foreign visitor\n        approval process and ensure that all appropriate offices are represented and that\n        responsibilities are appropriately assigned.\n\n     2. Improve training for sponsors of foreign nationals to ensure they understand how\n        the foreign national visit approval process works and their responsibilities as\n        sponsors. This training should be required prior to an individual becoming a\n\n18\n  We also note that the sponsors failed to ensure that Jiang received the required security briefing or that\nother NASA employees were aware of Jiang\xe2\x80\x9fs access limitations in light of his status as a foreign national.\n\n                                                     16\n\x0c   sponsor and be repeated at least annually as long as they continue to serve in this\n   capacity.\n\n3. Revise the STTCP to include NASA policy regarding taking IT equipment out of\n   the United States and ensure that employees are trained regarding this policy.\n\n4. Consider the following improvements to IdMAX:\n      a. Require individuals who will be acting as sponsors to acknowledge receipt\n         of the Plan and their understanding of all conditions placed on the visits of\n         foreign nationals they are sponsoring; and\n      b. Prevent the system from generating final approval until all key\n         documents, including the STTCP, are loaded into the system.\n\n5. Ensure that NIA and other similar organizations have a process in place so that\n   appropriate organizational officials are aware of any conditions NASA places on\n   foreign nationals associated with their organizations who are working with\n   NASA.\n\n6. Consider whether discipline and/or performance-based counseling is appropriate\n   for any of the NASA civil servants discussed in this report.\n\n\n\n\n                                        17\n\x0c'